i think what you are asking for is only partly possible, since the two requirements (accepting (and forwarding) administrative emails and rejecting mails from other users) are not orthogonal.

e.g. what happens, if a service wants to send an email to root via PHP's mail() interface? should it be allowed? forbidden? what happens (as is usually the case) if a service runs as an unprivileged user instead of root?

so i guess, what you really want is to only use the MTA for sending administrative emails from your local machine.

this can be accomplished by configuring your MTA to do the following (these are generic instructions to configure any MTA, not specific to postfix):

only accept emails from localhost (thus it will not accept emails from outside); do this by configuring your MTA to listen on 127.0.0.1 and/or by setting up a firewall that blocks all incoming traffic on port 25.

only accept emails for administrative accounts (root, webmaster, postmaster, abuse,...) and setup an alias to forward these emails to me@example.com

given that you control your own server, there is little use in blocking certain applications (e.g. php) from sending emails via your own mail-server. simply configure these applications to use a different mailserver (if need be), or re-evaluate your requirement.